Databases Reference
In-Depth Information
All of these values can be modified using transforms, the only caveat being that
these transforms are applied
after
the parsing step. The practical consequence of
this is that you cannot apply different parsing rules to different events in the same
file, for instance, different time formats on different lines.
Files as inputs
The vast majority of events in Splunk come from files. Usually, these events are read
from the machine where they are produced and as the logs are written. Very often,
the entire input's stanza will look like this:
[monitor:///logs/interesting.log*]
sourcetype=interesting
This is often all that is needed. This stanza is saying:
• Read all logs that match the pattern
/logs/interesting.log*
, and going
forward, watch them for new data
• Name the source type
interesting
• Set the
s
ource to the name of the file in which the log entry was found
• Default the host to the machine where the logs originated
• Write the events to the default index
These are usually perfectly acceptable defaults. If
sourcetype
is omitted, Splunk will
pick a default source type based on the filename, which you don't want—your source
type list will get very messy very fast.
Using patterns to select rolled logs
You may notice that the previous stanza ended in
*
. This is important because it
gives Splunk a chance to find events that were written to a log that has recently
rolled. If we simply watch
/logs/interesting.log
, it is likely that events will
be missed at the end of the log when it rolls, particularly on a busy server.
Will we end up with duplicate events after the log rolls to
interesting.log.1
or
interesting.log.2012-09-17
? The answer is "almost certainly not". This is
because Splunk does not use filenames to determine what files have been read but
instead does so by using checksums on the contents of the files. This means that logs
can be renamed or even moved to a different filesystem on the same server, and they
will still be recognized as the same file.
Search WWH ::
Custom Search